Detection of denial of service attacks against SIP (session initiation protocol) elements

ABSTRACT

A method and apparatus directed to detecting DoS (denial of service) attacks against SIP enabled devices. A substantial imbalance between an accounting of SIP INVITE (INV) and SIP 180 Ringing (N 180 ) messages indicates a DoS attack. Preferably the number (H) of INVITE messages including credentials (INV c ) that are sent from a user client in response to a 407 Authentication Required message from a proxy server are removed from the accounting before the balance is tested. If the equation INV o +INV c −H=N 180  (where INV o  is the number of INVITE messages without credentials) is not true within a small margin of error then the presence of a current DoS attack on the proxy server is indicated by the inequality.

BACKGROUND AND BRIEF DESCRIPTION OF THE INVENTION

A denial of service attack involves blocking somebody's ability to usesome service on a network. Denial-of-Service (DoS) attacks are commonacross the Internet with many being launched daily at various targets.Many of the attacks involve specially constructed packets or messagesdesigned to either take advantage of flaws in software, or to tie upresources within devices (packet flooding attacks). In some cases, thesepacket flooding attacks can be directed at devices providing SessionInitiation Protocol (SIP) functionality.

SIP is an application level protocol providing multimedia signalingfunctionality across packet networks. SIP user agents and proxy serverscan be used as building blocks to construct IP telephony networks. Anexample SIP network is depicted in FIG. 1. Typical successful SIPmessage exchanges between a User Agent Client (UAC) and a proxy serverfor a call initiation are depicted in FIGS. 2, 3 and 4.

The SIP network architecture can be very flexible, with componentsdistributed throughout IP networks, some trusted (private transportnetworks), some not (Internet). Once SIP components are connected to anetwork that cannot be trusted, the system becomes vulnerable toattacks.

A malicious user can send message floods against SIP elements (asdefined in IETF RFC 3261) and render them partially or completelyunusable to other users on the network. The present invention provides asolution for detecting malicious INVITE message floods against SIPelements.

In general, for an INVITE flood, the malicious user sends many INVITEmessages to a SIP element. The SIP element encounters resourceexhaustion when it attempts to keep track of the large number of calls.When legitimate users attempt to make a call, the SIP element is unableto process the messages due to a lack of resources (memory, CPU, etc).

The closest prior art solution to the problem is disclosed in an articleby B. Reynolds, and D. Ghosal entitled “Secure IP Telephony usingMulti-layered Protection”, Proceedings of NDSS '03, February 2003(hereinafter “Reynolds et al). In Reynolds et al, a method is proposedfor detection of SIP INVITE message flooding attacks. For each end user,the balance between INVITE and OK messages is used to determine whetherthe user is under attack. The method uses cumulative sum basedchange-point detection to analyze when the difference between INVITE andOK is too large.

This prior art solution provides no mechanisms for protecting theinfrastructure of the SIP network and the domain of the serviceprovider. An attacker could send a message flood through a proxy serveragainst a non-existent end user. This could result in denial-of-servicefor all users served by the proxy server. The method described hereprovides detection mechanisms for the network infrastructure (core andedge proxy servers, etc).

Secondly, this prior art does not take SIP authentication into account.For many systems, some or all of the users will be forced toauthenticate themselves to the proxy server when sending INVITErequests. When authentication is introduced the method proposed in thisprior art fails.

Finally, the prior art solution uses the balance of SIP INVITE vs. OKmessages. The OK message is only sent once the destination user choosesto answer a call. Each user that does not answer their phone results inan imbalance. This could result in additional false positives.

THE PRESENT INVENTION

The present invention provides method and system for detecting DoS(denial of service) attacks against SIP enabled devices. The inventionis characterized in that a substantial imbalance between an accountingof SIP INVITE (INV) and SIP 180 Ringing (N₁₈₀) messages indicates a DoSattack. This is distinguishable from the prior art, which teaches usingan accounting of SIP INVITE and SIP OK messages resulting in more falsepositives than the present solution.

Preferably, the number (H) of INVITE messages including credentials(INV_(c)) that are sent from a user client in response to a 407Authentication Required message from a proxy server are removed from theaccounting before the balance is tested. That is, if the equationINV_(o)+INV_(c)−H=N₁₈₀ (where INV_(o) is the number of INVITE messageswithout credentials) is not true within a small margin of error then thepresence of a current DoS attack on the proxy server is indicated by theinequality.

DESCRIPTION OF THE DRAWINGS

The above and other objects, advantages and features of the inventionwill become more apparent when considered with the followingspecification and accompanying drawings wherein:

FIG. 1 depicts an embodiment of SIP network architecture incorporatingthe invention,

FIG. 2 depicts the message handshakes for an unauthenticated SIP callinitiation,

FIG. 3 depicts the “full” message handshake for a user requiringauthentication,

FIG. 4 depicts the message handshake for a user with informationallowing pre-authentication as described in IETF RFC 2617,

FIG. 5 depicts a possible calculated value for detecting SIP INVITEflooding attacks, and

FIG. 6 depicts the flow chart for determining whether an INV_(c) messageis part of a full authentication handshake, or a pre-authenticatedhandshake.

DETAILED DESCRIPTION OF THE INVENTION

The present invention examines the balance between incoming INVITE andoutgoing 180 Ringing messages. The 180 message is re-sent by the serveronce the destination user agent has been identified and has beensuccessfully contacted. The 180 message is sent regardless if the enduser answers the call or not and thus identifies a legitimate call.

The present invention differentiates between INVITE messages withauthentication credentials given in the “Proxy-Authorization” headerfield (INV_(c)) and those without (INV_(o)). For a system with noauthentication enabled (FIG. 2), the number of INV₀ messages should beapproximately equal to the number of 180 Ringing messages. In a systemwith authentication enabled for all users (FIG. 3) the number of INV_(c)messages will be approximately equal to the number of 180 messages. Forthese systems it is possible to use change-point detection techniques todetermine when the two values suddenly are out of balance. The imbalanceindicates that a flooding attack is underway.

Detection is more difficult when the system is mixed, with only someusers requiring authentication. For the “full” authentication handshakedescribed in FIG. 3 there is an INV_(o) and an INV_(c) message for asingle 180 Ringing message whereas for the handshakes in FIGS. 2 and 4there is only one INVITE message per 180.

According to this embodiment, a preferred system utilizes an SIP proxyserver to receive SIP messages, determines whether the SIP messages areINVITE or 180 messages (and, optionally, 407 or 401 messages),identifies the “full” authentication handshake, and then determineswhether an imbalance exists based on the number of INVITE messages withcredentials upon taking into account “full” authentication handshake.This may be accomplished by means of the software illustrated in FIG. 6,which includes a table containing unique call-info values. The call-infocould consist of call-IDs or digest authentication nonces. When a 407Authentication Required message is sent from the proxy server to a UAC,the call-info from that message is stored within the table.

For each INV_(c) message that is received by the proxy, the call-infotable is searched. If the call-info from the INV_(c) message appears inthe call-info table, this indicates that the INV_(c) message is part ofa “full” authentication handshake. We label the number of matches asparameter H. When a match is found in the table, the entry is thendeleted.

The H value can now be used to adjust the balance equation and improvethe accuracy of detection. One possible equation for detection is shownin FIG. 4.

The same approach can be used for detection of INVITE flooding attacksagainst User Agents. In this case the invention uses the authenticationinformation found in the 401 Unauthorized messages instead of 407messages.

The invention allows for analysis of aggregated traffic rather thanmaintaining statistics per user as is done in Reynolds et al. Theproblem with per user statistics is the analysis engine may suffer fromresource exhaustion due to tracking a large number of users. Anaggregated solution does not suffer from this problem.

Secondly, the invention takes systems with authentication enabled intoaccount. It is very likely that at least some of the users will requireauthentication, so it is not possible to disregard this aspect.

Finally, using the 180 Ringing message rather than the OK messageresults in less false positives, as answering the call by thedestination user is not taken into account in the approach disclosedherein.

While there will be small errors introduced into the system bylegitimate calls to incorrect destinations or calls where the user isalready on the phone, in these situations the proxy server will receivethe INVITE messages, but there will not be any 180 Ringing messages.This should generally occur rarely and should greatly not affect theaccuracy of the method.

The ability to detect DoS attacks against SIP-enabled devices is ofgreat value to operators of network services. Efficient DoS detectionmechanisms may prove to be value-adding differentiators in the networkequipment market. Competitors who add such features to their networkequipment may find themselves at an advantage.

While the invention has been described in relation to preferredembodiments of the invention, it will be appreciated that otherembodiments, adaptations and modifications of the invention will beapparent to those skilled in the art.

1. A method of detecting denial of service (DoS) attacks in an Internetaccessible network having at least one proxy server incorporating asession initiation protocol (SIP), said SIP including incoming INVITEmessages that request set-up of an Internet telephone call and outgoing180 Ringing messages that indicate ringing, the method comprising:aggregating said INVITE messages and said 180 Ringing messages for allusers on said Internet accessible network; detecting an imbalancebetween a number of said INVITE and 180 Ringing messages resulting froma DoS attack; and providing an indication of a presence of a current DoSattack on said proxy server based on detection of said imbalance.
 2. Themethod of claim 1, wherein a number (H) of INVITE messages includingcredentials that are sent from a user client in response to anauthentication required message from the proxy server, said credentialsbeing information used by the proxy server to authenticate the INVITEmessages, are removed from an accounting before the imbalance is testedsuch that when an equation:INV _(o) +INV _(c) −H=N ₁₈₀ where INV_(o) is a number of INVITE messageswithout said credentials, INV_(c) is a number of INVITE messages withsaid credentials, and N₁₈₀ is a number of said 180 Ringing messages,  isnot true within a predetermined margin of error, then the presence ofsaid current DoS attack on the proxy server is indicated by aninequality in said equation.
 3. The method of claim 2, furthercomprising: creating a call information table at said proxy server fordetermining a value of H.
 4. A system for detecting denial of service(DoS) attacks against session initiation protocol elements in anInternet accessible network having at least one proxy server, saidsystem comprising: means for aggregating incoming INVITE messages andoutgoing 180 Ringing messages for all users on said Internet accessiblenetwork; and means, within said proxy server, for determining if anumber of said INVITE messages including credentials (INV_(c)) sent tosaid proxy server from user clients in response to an authenticationrequirement exceeds a number of said 180 Ringing messages that indicatesa DoS attack, said credentials being information used by the proxyserver to authenticate the INVITE messages.
 5. A system for detectingdenial of service (DoS) attacks in an Internet accessible network havingat least one proxy server incorporating a session initiation protocol(SIP), said system comprising: means for aggregating incoming INVITEmessages and outgoing 180 Ringing messages for all users on saidInternet accessible network; and means, within said proxy server, fordetecting an imbalance between a number of said INVITE and said 180Ringing messages, the imbalance indicating a presence of a current DoSattack on said proxy server.
 6. The system of claim 4, wherein saidmeans for determining creates a call-info table for use in tracking saidINVITE messages.
 7. The system of claim 5, wherein said means fordetecting creates a call-info table for use in tracking said INVITEmessages.